Head-Body Partitioned String Matching for Deep Packet Inspection - PDF document

Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and Attack-Resilient Performance* Yi-Hua E. Yang Viktor K. Prasanna Chenqian Jiang Ming Hsieh Dept. of Electrical Eng. Ming Hsieh Dept. of Electrical Eng. Ming Hsieh Dept. of Electrical Eng. University of Southern California University of Southern California University of Southern California Email: yeyang@usc.edu Email: prasanna@usc.edu Email: chenqiaj@usc.edu Abstract —Dictionary-based string matching (DBSM) is a crit- ASIC or FPGAs [5], [6], [7], [8], [9], [4], [10], [11]; and (2) ical component of Deep Packet Inspection (DPI), where thou- software designs on multi-core systems [12], [13], [14]. While sands of malicious patterns are matched against high-bandwidth implementing DBSM in software may not produce the highest network traffic. Deterministic finite automata constructed with performance, it has several critical advantages: the Aho-Corasick algorithm (AC-DFA) have been widely used for solving this problem. However, the state transition table (STT) of Modularity A DBSM solution is usually part of a more a large-scale DBSM AC-DFA can span hundreds of megabytes complex DPI system. Implementing DBSM as a of system memory, whose limited bandwidth and long latency software module for multi-core processors makes could become the performance bottleneck We propose a novel it easier to integrate DBSM with the rest of the partitioning algorithm which converts an AC-DFA into a "head" and a "body" parts. The head part behaves as a traditional AC- DPI system. DFA that matches the pattern prefixes up to a predefined length; Extensibility A processor-based system is more flexible and the body part extends any head match to the full pattern length extensible than a piece of hardware. For example, in parallel body-tree traversals. Taking advantage of the SIMD the memory size and network bandwidth can instructions in modern x86-64 multi-core processors, we design be easily upgraded in many cases with a server compact and efficient data structures packing multi-path and multi-stride pattern segments in the body-tree. Compared with reboot. an optimized AC-DFA solution, our head-body matching (HBM) Portability The same (multi-threaded) software executable implementation achieves 1.2x to 3x throughput performance can run on processors with various number of when the input match (attack) ratio varies from 2% to 32%, cores or cache sizes. Its performance can usually respectively. Our HBM data structure is over 20x smaller than a be improved substantially by simply upgrading the fully-populated AC-DFA for both Snort and ClamAV dictionaries. The aggregated throughput of our HBM approach scales almost processor and without changing the source code. 7x with 8 threads to over 10 Gbps in a dual-socket quad-core A similar but more powerful pattern matching mechanism is Opteron (Shanghai) server. the regular expression matching (REM). While REM can be Index Terms —String matching; SIMD; multi-core processor; DFA; NFA; tree topology; multi-stride tree; intrusion detection; regarded as a superset problem to DBSM, in this study we virus scanning focus only on DBSM on multi-core systems for three reasons. First, DBSM is used more widely than REM. A larger number I. I NTRODUCTION of DPI rules utilize only DBSM together with other higher- Deep packet inspection (DPI) is a critical component of level directives. For those rules that do require REM, DBSM network security systems where the contents of the network is usually also used in the pre-filtering process. traffic are continuously examined. Examples include network Second, the performance of existing DBSM solutions on intrusion detection [1], virus scanning [2] and content filtering multi-core systems still leave much to be desired. In [13], [3]. Dictionary-based string matching (DBSM) is the most the GPU-accelerated solution achieved 2.3 Gbps against 4000 widely-used pattern matching mechanism used by DPI to random strings. In [15], the dual Cell B.E. system achieved match an input stream against a large number of strings. Due 4.5 Gbps with (or 3.5 Gbps without) a-posteriori knowledge to the explosive growth of network bandwidth and number of of the input. In [14], a throughput of 7.5 Gbps was achieved malicious attacks, DBSM has become a major performance using 32 processors in a Cray XMT supercomputer. There bottleneck in DPI systems [4]. is yet a cost-efficient DBSM solution capable of matching From an architecture point of view, DBSM solutions can 10 Gbps traffic against several thousand strings on a multi- be categorized into two main groups: (1) hardware designs on core platform. Third, although REM performance on multi-core systems is * Supported by U.S. National Science Foundation under grant CCR- generally very poor (between 30 to 300 Mbps as in [16]), high- 0702784